The branch, v4-0-test has been updated via 816bb64a56a75d1eb5e879b4abf211af27243686 (commit) via 6673a6e62399c4956a44a06685aa91ce8145b92a (commit) via 514d88580bee3bb17f1032262f5518e3ab2a349a (commit) via c2df7ffa6d67dd9381d10397c679746547cd5e17 (commit) via 15d0951b74b46763024560f9cd012338473c5bc3 (commit) via 736ce50afd9da9b5fbc3db777fd5341dfa4b721a (commit) via 26c2a34dec26890230dfa86827804d8160061ce5 (commit) from 9678085f75b6cb0ed068e22f3d9f94247b200ce2 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test - Log ----------------------------------------------------------------- commit 816bb64a56a75d1eb5e879b4abf211af27243686 Author: Andrew Bartlett <[EMAIL PROTECTED]> Date: Thu Jul 31 23:17:20 2008 +1000 Update to a working trustAuthIncoming and trustAuthOutgoing parser. This is based on the docs, as well as testing against a domain trust in windows. Clearly it needs to be more general - perhaps a non IDL parser? Andrew Bartlett commit 6673a6e62399c4956a44a06685aa91ce8145b92a Author: Andrew Bartlett <[EMAIL PROTECTED]> Date: Thu Jul 31 21:23:48 2008 +1000 Print trustAuthOutgoing and trustAuthIncoming in RPC-DSSYNC commit 514d88580bee3bb17f1032262f5518e3ab2a349a Author: Andrew Bartlett <[EMAIL PROTECTED]> Date: Thu Jul 31 10:51:59 2008 +1000 Use the cldap reply to avoid segfaulting in RPC-DSSYNC Also don't fail the test if the server does not implement the NT4 changelog. Andrew Bartlett commit c2df7ffa6d67dd9381d10397c679746547cd5e17 Author: Andrew Bartlett <[EMAIL PROTECTED]> Date: Thu Jul 31 09:07:57 2008 +1000 Don't fail if the domain has a trust already. Andrew Bartlett commit 15d0951b74b46763024560f9cd012338473c5bc3 Merge: 736ce50afd9da9b5fbc3db777fd5341dfa4b721a 9678085f75b6cb0ed068e22f3d9f94247b200ce2 Author: Andrew Bartlett <[EMAIL PROTECTED]> Date: Thu Jul 31 07:48:16 2008 +1000 Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into 4-0-local commit 736ce50afd9da9b5fbc3db777fd5341dfa4b721a Author: Andrew Bartlett <[EMAIL PROTECTED]> Date: Thu Jul 31 07:47:01 2008 +1000 Start implementind domain trusts in our KDC. Andrew Bartlett commit 26c2a34dec26890230dfa86827804d8160061ce5 Author: Andrew Bartlett <[EMAIL PROTECTED]> Date: Thu Jul 31 07:45:30 2008 +1000 Update trustAuthInOutBlob in line with MS-ADTS 7.1.6.8.1 ----------------------------------------------------------------------- Summary of changes: source/kdc/hdb-ldb.c | 40 ++++++++++++++--- source/librpc/idl/drsblobs.idl | 97 +++++++++++++++++++++++++++------------- source/torture/rpc/dssync.c | 42 ++++++++++++++--- source/torture/rpc/lsa.c | 7 +++- 4 files changed, 139 insertions(+), 47 deletions(-) Changeset truncated at 500 lines: diff --git a/source/kdc/hdb-ldb.c b/source/kdc/hdb-ldb.c index 8f8ce30..a997eb0 100644 --- a/source/kdc/hdb-ldb.c +++ b/source/kdc/hdb-ldb.c @@ -853,7 +853,8 @@ static krb5_error_code LDB_fetch_krbtgt(krb5_context context, HDB *db, { krb5_error_code ret; struct ldb_message **msg = NULL; - struct ldb_message **realm_ref_msg = NULL; + struct ldb_message **realm_ref_msg_1 = NULL; + struct ldb_message **realm_ref_msg_2 = NULL; struct ldb_dn *realm_dn; krb5_principal alloc_principal = NULL; @@ -864,14 +865,18 @@ static krb5_error_code LDB_fetch_krbtgt(krb5_context context, HDB *db, } /* krbtgt case. Either us or a trusted realm */ + if ((LDB_lookup_realm(context, (struct ldb_context *)db->hdb_db, - mem_ctx, principal->name.name_string.val[1], &realm_ref_msg) == 0)) { + mem_ctx, principal->realm, &realm_ref_msg_1) == 0) + && (LDB_lookup_realm(context, (struct ldb_context *)db->hdb_db, + mem_ctx, principal->name.name_string.val[1], &realm_ref_msg_2) == 0) + && (ldb_dn_cmp(realm_ref_msg_1[0]->dn, realm_ref_msg_1[0]->dn) == 0)) { /* us */ /* Cludge, cludge cludge. If the realm part of krbtgt/realm, * is in our db, then direct the caller at our primary - * krgtgt */ + * krbtgt */ - const char *dnsdomain = ldb_msg_find_attr_as_string(realm_ref_msg[0], "dnsRoot", NULL); + const char *dnsdomain = ldb_msg_find_attr_as_string(realm_ref_msg_1[0], "dnsRoot", NULL); char *realm_fixed = strupper_talloc(mem_ctx, dnsdomain); if (!realm_fixed) { krb5_set_error_string(context, "strupper_talloc: out of memory"); @@ -891,8 +896,26 @@ static krb5_error_code LDB_fetch_krbtgt(krb5_context context, HDB *db, return ENOMEM; } principal = alloc_principal; - realm_dn = samdb_result_dn((struct ldb_context *)db->hdb_db, mem_ctx, realm_ref_msg[0], "nCName", NULL); + realm_dn = samdb_result_dn((struct ldb_context *)db->hdb_db, mem_ctx, realm_ref_msg_1[0], "nCName", NULL); } else { + enum direction { + INBOUND, + OUTBOUND + } + + struct loadparm_context *lp_ctx = talloc_get_type(ldb_get_opaque(ldb, "loadparm"), struct loadparm_context *); + /* Either an inbound or outbound trust */ + + if (strcasecmp(lp_realm(lp_ctx), principal->realm) == 0) { + /* look for inbound trust */ + } + + if (strcasecmp(lp_realm(lp_ctx), principal->name.name_string.val[1]) == 0) { + /* look for outbound trust */ + } + + /* Trusted domains are under CN=system */ + /* we should lookup trusted domains */ return HDB_ERR_NOENTRY; } @@ -1022,10 +1045,13 @@ static krb5_error_code LDB_fetch(krb5_context context, HDB *db, if (ret != HDB_ERR_NOENTRY) goto done; } if (flags & HDB_F_GET_SERVER) { - ret = LDB_fetch_server(context, db, mem_ctx, principal, flags, entry_ex); - if (ret != HDB_ERR_NOENTRY) goto done; + /* krbtgt fits into this situation for trusted realms, and for resolving different versions of our own realm name */ ret = LDB_fetch_krbtgt(context, db, mem_ctx, principal, flags, entry_ex); if (ret != HDB_ERR_NOENTRY) goto done; + + /* We return 'no entry' if it does not start with krbtgt/, so move to the common case quickly */ + ret = LDB_fetch_server(context, db, mem_ctx, principal, flags, entry_ex); + if (ret != HDB_ERR_NOENTRY) goto done; } if (flags & HDB_F_GET_KRBTGT) { ret = LDB_fetch_krbtgt(context, db, mem_ctx, principal, flags, entry_ex); diff --git a/source/librpc/idl/drsblobs.idl b/source/librpc/idl/drsblobs.idl index adfc010..b0cddfc 100644 --- a/source/librpc/idl/drsblobs.idl +++ b/source/librpc/idl/drsblobs.idl @@ -1,6 +1,6 @@ #include "idl_types.h" -import "drsuapi.idl", "misc.idl"; +import "drsuapi.idl", "misc.idl", "samr.idl"; [ uuid("12345778-1234-abcd-0001-00000001"), @@ -359,9 +359,55 @@ interface drsblobs { typedef struct { NTTIME time1; uint32 unknown1; + DATA_BLOB value; + [flag(NDR_ALIGN4)] DATA_BLOB _pad; + } trustAuthInOutSecret1; + + typedef struct { + [relative] trustAuthInOutSecret1 *value1; + [relative] trustAuthInOutSecret1 *value2; + } trustAuthInOutCtr1; + + typedef [v1_enum] enum { + TRUST_AUTH_TYPE_NONE = 0, + TRUST_AUTH_TYPE_NT4OWF = 1, + TRUST_AUTH_TYPE_CLEAR = 2, + TRUST_AUTH_TYPE_VERSION = 3 + } trustAuthType; + + typedef struct { + [value(0)] uint32 size; + } AuthInfoNone; + + typedef struct { + [value(16)] uint32 size; + samr_Password password; + } AuthInfoNT4Owf; + + typedef struct { + uint32 size; + uint8 password[size]; + } AuthInfoClear; + + typedef struct { + [value(4)] uint32 size; + uint32 version; + } AuthInfoVersion; + + typedef [nodiscriminant] union { + [case(TRUST_AUTH_TYPE_NONE)] AuthInfoNone none; + [case(TRUST_AUTH_TYPE_NT4OWF)] AuthInfoNT4Owf nt4owf; + [case(TRUST_AUTH_TYPE_CLEAR)] AuthInfoClear clear; + [case(TRUST_AUTH_TYPE_VERSION)] AuthInfoVersion version; + } AuthInfo; + + typedef struct { + NTTIME LastUpdateTime; + trustAuthType AuthType; + /* * the secret value is encoded as UTF16 if it's a string - * but krb5 trusts have random bytes here, so converting to UTF16 + * but depending the AuthType, it might also be krb5 trusts have random bytes here, so converting to UTF16 * mayfail... * * TODO: We should try handle the case of a random buffer in all places @@ -372,49 +418,36 @@ interface drsblobs { * uint32 value_len; * [charset(UTF16)] uint8 value[value_len]; */ - DATA_BLOB value; + [switch_is(AuthType)] AuthInfo AuthInfo; [flag(NDR_ALIGN4)] DATA_BLOB _pad; - } trustAuthInOutSecret1; + } AuthenticationInformation; typedef struct { - [relative] trustAuthInOutSecret1 *value1; - [relative] trustAuthInOutSecret1 *value2; - } trustAuthInOutCtr1; + AuthenticationInformation info[1]; + } AuthenticationInformation1; typedef struct { - NTTIME time1; - uint32 unknown1; - DATA_BLOB value; - NTTIME time2; - uint32 unknown2; - uint32 unknown3; - uint32 unknown4; - [flag(NDR_ALIGN4)] DATA_BLOB _pad; - } trustAuthInOutSecret2V1; + AuthenticationInformation info[2]; + } AuthenticationInformation2; typedef struct { - NTTIME time1; - uint32 unknown1; - DATA_BLOB value; - NTTIME time2; - uint32 unknown2; - uint32 unknown3; - [flag(NDR_ALIGN4)] DATA_BLOB _pad; - } trustAuthInOutSecret2V2; + [relative] AuthenticationInformation1 *current; + [relative] AuthenticationInformation1 *previous; + } AuthenticationInformationCtr1; typedef struct { - [relative] trustAuthInOutSecret2V1 *value1; - [relative] trustAuthInOutSecret2V2 *value2; - } trustAuthInOutCtr2; + [relative] AuthenticationInformation2 *current; + [relative] AuthenticationInformation2 *previous; + } AuthenticationInformationCtr2; typedef [nodiscriminant] union { - [case(1)] trustAuthInOutCtr1 ctr1; - [case(2)] trustAuthInOutCtr2 ctr2; - } trustAuthInOutCtr; + [case(1)] AuthenticationInformationCtr1 info1; + [case(2)] AuthenticationInformationCtr2 info2; + } AuthenticationInformationCtr; typedef [public] struct { - uint32 version; - [switch_is(version)] trustAuthInOutCtr ctr; + uint32 count; + [switch_is(count)] AuthenticationInformationCtr auth; } trustAuthInOutBlob; void decode_trustAuthInOut( diff --git a/source/torture/rpc/dssync.c b/source/torture/rpc/dssync.c index 2930a9b..d340543 100644 --- a/source/torture/rpc/dssync.c +++ b/source/torture/rpc/dssync.c @@ -34,6 +34,7 @@ #include "libcli/auth/libcli_auth.h" #include "auth/gensec/gensec.h" #include "param/param.h" +#include "dsdb/samdb/samdb.h" struct DsSyncBindInfo { struct dcerpc_pipe *pipe; @@ -314,6 +315,14 @@ static bool test_GetInfo(struct torture_context *tctx, struct DsSyncTest *ctx) printf("cldap_netlogon() returned Server Site-Name: %s.\n",search.out.netlogon.nt5_ex.server_site); } + if (!ctx->domain_dn) { + struct ldb_context *ldb = ldb_init(ctx, tctx->ev); + struct ldb_dn *dn = samdb_dns_domain_to_dn(ldb, ctx, search.out.netlogon.nt5_ex.dns_domain); + ctx->domain_dn = ldb_dn_alloc_linearized(ctx, dn); + talloc_free(dn); + talloc_free(ldb); + } + return ret; } @@ -465,6 +474,9 @@ static void test_analyse_objects(struct torture_context *tctx, DATA_BLOB *enc_data = NULL; DATA_BLOB plain_data; struct drsuapi_DsReplicaAttribute *attr; + ndr_pull_flags_fn_t pull_fn = NULL; + ndr_print_fn_t print_fn = NULL; + void *ptr = NULL; attr = &cur->object.attribute_ctr.attributes[i]; switch (attr->attid) { @@ -486,6 +498,9 @@ static void test_analyse_objects(struct torture_context *tctx, break; case DRSUAPI_ATTRIBUTE_supplementalCredentials: name = "supplementalCredentials"; + pull_fn = (ndr_pull_flags_fn_t)ndr_pull_supplementalCredentialsBlob; + print_fn = (ndr_print_fn_t)ndr_print_supplementalCredentialsBlob; + ptr = talloc(ctx, struct supplementalCredentialsBlob); break; case DRSUAPI_ATTRIBUTE_priorValue: name = "priorValue"; @@ -495,9 +510,15 @@ static void test_analyse_objects(struct torture_context *tctx, break; case DRSUAPI_ATTRIBUTE_trustAuthOutgoing: name = "trustAuthOutgoing"; + pull_fn = (ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob; + print_fn = (ndr_print_fn_t)ndr_print_trustAuthInOutBlob; + ptr = talloc(ctx, struct trustAuthInOutBlob); break; case DRSUAPI_ATTRIBUTE_trustAuthIncoming: name = "trustAuthIncoming"; + pull_fn = (ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob; + print_fn = (ndr_print_fn_t)ndr_print_trustAuthInOutBlob; + ptr = talloc(ctx, struct trustAuthInOutBlob); break; case DRSUAPI_ATTRIBUTE_initialAuthOutgoing: name = "initialAuthOutgoing"; @@ -528,7 +549,6 @@ static void test_analyse_objects(struct torture_context *tctx, name, (long)enc_data->length, (long)plain_data.length)); if (plain_data.length) { enum ndr_err_code ndr_err; - struct supplementalCredentialsBlob scb; dump_data(0, plain_data.data, plain_data.length); if (save_values_dir) { char *fname; @@ -545,15 +565,20 @@ static void test_analyse_objects(struct torture_context *tctx, talloc_free(fname); } - ndr_err = ndr_pull_struct_blob_all(&plain_data, tctx, - lp_iconv_convenience(tctx->lp_ctx), &scb, - (ndr_pull_flags_fn_t)ndr_pull_supplementalCredentialsBlob); - if (NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { - NDR_PRINT_DEBUG(supplementalCredentialsBlob, &scb); + if (pull_fn) { + ndr_err = ndr_pull_struct_blob_all(&plain_data, ptr, + lp_iconv_convenience(tctx->lp_ctx), ptr, + pull_fn); + if (NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + ndr_print_debug(print_fn, name, ptr); + } else { + DEBUG(0, ("Failed to decode %s\n", name)); + } } } else { dump_data(0, enc_data->data, enc_data->length); } + talloc_free(ptr); } } } @@ -800,7 +825,10 @@ static bool test_FetchNT4Data(struct torture_context *tctx, r.in.req.req1.data = cookie.data; status = dcerpc_drsuapi_DsGetNT4ChangeLog(ctx->new_dc.drsuapi.pipe, ctx, &r); - if (!NT_STATUS_IS_OK(status)) { + if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) { + printf("DsGetNT4ChangeLog not supported by target server\n"); + break; + } else if (!NT_STATUS_IS_OK(status)) { const char *errstr = nt_errstr(status); if (NT_STATUS_EQUAL(status, NT_STATUS_NET_WRITE_FAULT)) { errstr = dcerpc_errstr(ctx, ctx->new_dc.drsuapi.pipe->last_fault_code); diff --git a/source/torture/rpc/lsa.c b/source/torture/rpc/lsa.c index e6102f0..4fb459e 100644 --- a/source/torture/rpc/lsa.c +++ b/source/torture/rpc/lsa.c @@ -1830,7 +1830,12 @@ static bool test_EnumTrustDom(struct dcerpc_pipe *p, enum_status = dcerpc_lsa_EnumTrustDom(p, mem_ctx, &r); - if (!(NT_STATUS_EQUAL(enum_status, STATUS_MORE_ENTRIES) || NT_STATUS_EQUAL(enum_status, NT_STATUS_NO_MORE_ENTRIES))) { + if (NT_STATUS_IS_OK(enum_status)) { + if (domains.count == 0) { + printf("EnumTrustDom failed - should have returned 'NT_STATUS_NO_MORE_ENTRIES' for 0 trusted domains\n"); + return false; + } + } else if (!(NT_STATUS_EQUAL(enum_status, STATUS_MORE_ENTRIES) || NT_STATUS_EQUAL(enum_status, NT_STATUS_NO_MORE_ENTRIES))) { printf("EnumTrustDom of zero size failed - %s\n", nt_errstr(enum_status)); return false; } -- Samba Shared Repository